How to enable TLS encryption¶
This guide will show how to enable TLS/SSL on a PostgreSQL cluster using the self-signed-certificates operator as an example.
Do not use self-signed certificates in production.
In this guide, we use self-signed certificates provided by the self-signed-certificates operator .
This is not recommended for a production environment.
Check the collection of Charmhub operators that implement the tls-certificate interface.
This guide assumes everything is deployed within the same network and Juju model.
See also: How to deploy for external TLS VIP access
Enable TLS¶
First, deploy the TLS charm:
juju deploy self-signed-certificates
To enable TLS integrate the two applications:
juju integrate postgresql:client-certificates self-signed-certificates:certificates
juju integrate postgresql-k8s:certificates self-signed-certificates:certificates
Check certificates in use¶
To check the certificates in use by PostgreSQL, run
openssl s_client -starttls postgres -connect <leader_unit_IP>:<port> | grep issuer
juju run postgresql/0 set-tls-private-key "external-key=$(base64 -w0 external-key-0.pem)" "internal-key=$(base64 -w0 internal-key.pem)"
juju run postgresql/1 set-tls-private-key "external-key=$(base64 -w0 external-key-1.pem)" "internal-key=$(base64 -w0 internal-key.pem)"
juju run postgresql/2 set-tls-private-key "external-key=$(base64 -w0 external-key-2.pem)" "internal-key=$(base64 -w0 internal-key.pem)"
juju run postgresql-k8s/0 set-tls-private-key "external-key=$(base64 -w0 external-key-0.pem)" "internal-key=$(base64 -w0 internal-key.pem)"
juju run postgresql-k8s/1 set-tls-private-key "external-key=$(base64 -w0 external-key-1.pem)" "internal-key=$(base64 -w0 internal-key.pem)"
juju run postgresql-k8s/2 set-tls-private-key "external-key=$(base64 -w0 external-key-2.pem)" "internal-key=$(base64 -w0 internal-key.pem)"
Updates can also be done with auto-generated keys with
juju run postgresql/0 set-tls-private-key
juju run postgresql/1 set-tls-private-key
juju run postgresql/2 set-tls-private-key
juju run postgresql-k8s/0 set-tls-private-key
juju run postgresql-k8s/1 set-tls-private-key
juju run postgresql-k8s/2 set-tls-private-key
Disable TLS¶
Disable TLS by removing the integration.
juju remove-relation postgresql:client-certificates self-signed-certificates:certificates
juju remove-relation postgresql-k8s:certificates self-signed-certificates:certificates